Much ink has been spilled on the state of our nation’s military and national security capabilities. As it stands, the United States currently possesses a military roughly equivalent in power to every other state’s conventional military combined. The prolonged wars of attrition against guerilla forces in Afghanistan and Iraq, however, have made clear that the United States is less prepared to handle unconventional threats.
This is particularly the case with network security, an area where the United States has less of an overwhelming advantage. Stuxnet, a new malware virus that appears to have have targeted Iran’s nuclear infrastructure, is a prime example of the destructive power of unconventional threats. Stuxnet represents the beginnings of what could be a new wave of cyber security threats: specially constructed viruses capable of destabilizing national infastructure.
VirusBlokAda, a small Belarusian antivirus software company, reported the existence of Stuxnet in June of this year. Tens to hundreds of thousands of computers were affected worldwide by July, 60 percent of them in Iran. Such a massive concentration of infected computers has led many experts to surmise the Islamic Republic was specifically targeted. Stuxnet has the ability to exploit various internal security holes in the Windows operating system in order to attack numerous industrial control systems. These systems are used to regulate power plants, oil pipelines, military installations, and in Iran’s case, its burgeoning nuclear program.
Stuxnet reportedly has the ability to alter the functionality of Iran’s nuclear centrifuges, thereby hindering their ability to create weapons-usable fissile material. Normally, centrifuges spin at a constant speed in order to enrich uranium, which can then be used as fuel for nuclear energy or fissile material for nuclear weapons. Stuxnet causes extreme fluctations in the rotational speed of the centrifuges, eventually causing them to break apart. Iranian President Mahmoud Ahmadinejad has publicly confirmed the effects of Stuxnet. He said, “Problems were created for a limited number of centrifuges due to the software installed in some of the electronic equipment.”
The malware is so refined that many have surmised that Stuxnet is not the work of an isolated hacker or group of hackers, but a calculated attack on Iran by a rival state. Some sources accused the United States of perpetrating the attack as well as pointing the finger at a number of other Western nations and international organizations, such as NATO. Others suggest the involvement of Israel due to a biblical reference inherent in Stuxnet’s coding. There are even reports that the virus was not aimed at Iran at all, but rather, a Chinese cyberattack directed at India and the instances of the virus found in the Islamic Republic were unintentional.
No matter who is responsible for perpetrating this net assault on Iran, one thing remains clear: Stuxnet has revealed vulnerabilities that all countries, including the United States, must take seriously. The Stuxnet virus is a potential game changer for national cyber security and should be seen as a wake-up call. Previous encounters with cyber assaults, such as Russia’s purported cyberattacks against Georgia in the 2008 South Ossetia War or the recent suspected Chinese attack on the Nobel Peace Prize website, were reportedly limited to isolated hackers or spies acting to commit espionage or mild sabotage. Stuxnet, by comparison, is surmised to have done everything from delay nuclear programs to disable an active satellite. In the future, this type of virus could shut down factories and power lines, proving disasterous to a nation’s economy or military.
There are voices in the Pentagon speaking out for a fundamental change in U.S. cyber security strategies. U.S. Deputy Secretary of Defense William J. Lynn is calling for a move away from traditional “Maginot Line” strategies based on the usage of firewalls toward an “active defense” based on utilizing computer viruses as offensive tools against the nation’s enemies. As cyber security inevitably comes to play a more prominent role in 21st century national security policies, the United States will need to address these concerns in order to shape an effective and appropriate cyber security strategy.
The United States must be proactive in its approach to atypical national security threats in order to defend against virus attacks like Stuxnet. Taking out a power grid or nuclear program once required conventional military tools and forces, a contingency for which the United States is adequately prepared. However, when a nation or group can penerate critical infrastructure through computer viruses, then suddenly cyber security is no longer an issue of safeguarding information, it’s a matter of national security.
Lawrence J. Korb is a Senior Fellow and Marc Perel is an intern with the National Security team at American Progress.